Alert

Buffer Overflow in Microsoft Internet Explorer

Last Revised
Alert Code
TA04-315A

Systems Affected

Microsoft Windows systems running

Overview

Microsoft Internet Explorer (IE) contains a buffer overflow vulnerability
that could allow a remote attacker to
execute arbitrary code with the privileges of the user running IE.


Description

A buffer overflow vulnerability exists in the way IE handles the SRC
and NAME attributes of various elements, including FRAME and IFRAME.
Because IE fails to properly check the size of the NAME and SRC
attributes,
a specially crafted HTML document can cause a buffer overflow in heap
memory. Due to the dynamic nature of the heap, it is usually difficult for
attackers to execute arbitrary code using this type of vulnerability.

However, if heap memory is prepared in a special manner, an attacker could
execute arbitrary code more easily. Publicly observed exploits
use scripting to prepare the heap, though this may be accomplished without
scripting. Without the ability to prepare the heap, the impact is most
likely limited to denial of service.

Based on limited testing and information from Microsoft, IE 5, IE 6 on Windows XP SP2, and IE 6 on Windows Server 2003 are not vulnerable.

This vulnerability is described in further detail in VU#842160.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web
page or an HTML email message), an attacker could execute arbitrary code
with the privileges of the user. The attacker could also cause IE (or any
program that hosts the WebBrowser ActiveX control) to crash.

Reports indicate that this vulnerability is being exploited by malicious
code propagated via email. When a user clicks on a URL in a
malicious email message, IE opens and displays an HTML document
that exploits the vulnerability. This malicious code may be referred to
as
MyDoom.{AG,AH,AI} or Bofra.

Solution

Install an update

Install the appropriate update according to
Microsoft
Security Bulletin MS04-040.
For additional information about the update, including possible adverse
effects, please see Microsoft Knowledge Base articles 889293 and 889669.

Install Windows XP SP2

Microsoft Windows XP
SP2
is not affected by this vulnerability. Windows
XP users should consider updating to SP2.

Disable Active scripting

To help protect against attacks that use scripting to prepare the
heap,
disable Active scripting in any zone used to render untrusted
HTML content (typically the Internet Zone and Restricted Sites Zone).
Instructions for disabling Active scripting in the
Internet Zone can be found in the Malicious Web
Scripts FAQ
.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web
forums, or Internet relay chat (IRC) channels. While this is generally good
security practice, following this behavior will not prevent exploitation of this
vulnerability in all cases. For example, a trusted web site could be compromised
and modified to deliver exploit script to unsuspecting clients.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view
email messages in text format. Consider the security of fellow Internet
users and send email in plain text format when possible. Note that reading
and sending email in plain text will not necessarily prevent exploitation
of this vulnerability.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent
some exploit attempts. Variations of exploits or attack vectors may not be
detected. Do not rely solely on anti-virus software to defend against this
vulnerability. More information about viruses and anti-virus vendors is
available on the
US-CERT Computer Virus Resources page.

Appendix A. References



Feedback can be directed to the authors: Will
Dormann and Art Manion
.



Revision History

  • November 10, 2004: Initial release

    November 11, 2004: Added status information about IE versions, minor
    changes to Windows XP SP2 workaround and SP2 reference

    December 3, 2004: Removed EMBED from list of affected elements, updated systems affected, revised SP2 information, added MS04-040 and KB articles to solution

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.